RSS

Subscription Bombing: Email Under Attack

birdculture1 pts0 comments

Subscription Bombing: Email under Attack – Communications of the ACM

Skip to content

Latest Issue

Search

Sign In

Join ACM

Subscription Bombing

Large-Scale Dataset

Case Study: Company Omega

Goals of Subscription Bombing

Subscription Bombing as a Service

Mitigation

Conclusion

Acknowledgments

References

Email subscription bombing (also known as subscription flooding or email spam bombing) is an attack technique that overwhelms a target’s inbox with a high volume of benign but unwanted emails. The emails themselves are benign and are sent by legitimate third parties (such as mailing lists), and therefore typically pass spam filters. The origins of this attack vector trace back to the beginning of the public Internet but have recently re-emerged at scale. Unlike classic email bombing, where attackers send large volumes directly, subscription bombing introduces a layer of indirection. The attacker registers the victim’s email address with thousands of third-party online services, which act as amplifiers that flood the target’s inbox with legitimate subscription confirmations and notification messages. Such emails are much harder to block automatically by the receiving email server.<br>Modern spam filtering relies on multiple signals, including sender reputation, email headers, and message content. For subscription attacks, the sending server generally has a good reputation and is not on a public blocklist; header checks (such as SPF, DMARC, or DKIM) are usually passed, and the subject and body text are different for each email and generally do not match typical phishing phrases that could be detected. While the flood of messages renders the inbox unusable, the true objective is often not just denial-of-service but to hide specific legitimate emails that arrive during the attack, thereby obscuring unauthorized financial transactions, account compromises, or ransomware deployment attempts. Early attacks scanned the Internet for sign-up forms and then scripted the sign-up process. In 1996, a stockbroker was bombarded with 25,000 emails, gathering some media attention at the time.1 Since then, attacks have come in waves and were modernized. In 2016, hundreds of email addresses of the U.S. government were targeted, and some were subscribed to more than 10,000 newsletters.6 As organizations increasingly rely on digital communication channels, understanding the mechanics of these orchestrated distractions and their role in broader attack chains has become essential for maintaining operational continuity and financial security.<br>Beyond newsletters, attackers exploit other services capable of generating emails to a chosen target. This includes password reset requests, account registration confirmations, customer support forms, promotional emails, and social media notifications. These third-party services act as unwitting relays, with attackers hijacking their good reputation and bandwidth to execute the subscription bombing attack. We have monitored email trends since 2015 and have observed a recent increase in such attacks. In this study, we analyze 24 concrete subscription bombing attack campaigns using a large dataset from an email security provider, encompassing 46,970 involved unwanted emails. We define key metrics, outline attack timelines, and provide insight into the operational patterns of these campaigns. Furthermore, we examine subscription bombing services offered on the Dark Web and categorize their capabilities. Mitigating these attacks is challenging due to the large set of email senders, but automated unsubscription may reduce the impact. Given the simplicity of carrying out these asymmetric subscription bombing attacks, we expect the volume to grow in the future.

Subscription Bombing<br>Attackers typically abuse services that are well known, reputable, and easy to automate using sign-up scripts. Newsletters are the most common targets, followed by account registration confirmation messages. However, attackers have also been seen posting product listings, job postings, support inquiries, hotel bookings, or even apartment listings on online platforms, generating genuine inquiries from human users. The third-party services involved are not compromised or necessarily misconfigured, and no vulnerability in the email server is exploited. The attackers are simply abusing benign (but sometimes overly permissive) features.<br>The underlying security issue for all services is that, essentially, an attacker can register the victim, without their permission, who will then receive unwanted messages in their inbox. Key to eradicating this attack vector is that each service will have to improve its sign-up process with a two-step confirmation procedure. There are three key challenges here: a lot of distinct services will have to be updated; a service provider may not be interested in improving its security if it considers the number of registered users as a success metric; and even with proper validation the...

subscription bombing email attack emails services

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.